From nobody Tue Mar 31 15:58:37 2026 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4flXpj424Bz6WF4y for ; Tue, 31 Mar 2026 15:58:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4flXpj2wZWz3gMB for ; Tue, 31 Mar 2026 15:58:37 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774972717; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=PvdA8f/EU6CWxNJcdkix8kft3+e2AXdsxcCAgzlNteQ=; b=IWoVifqdJ4f3c1hxcD4daTNMvDx9UiBuNRD+5nhdYJpFJGU9SGko5xOvVufMWgAIswnOxE H/G/suKnqON0+BgNecf088EDfhz7Fj52BrzUKLc9T2t9jR5EWzSjgwRjQYM/wOF5Dhi911 F58dqPCJyDonz6Tle8T/1J3IXy63ek6HhrjZTvy7ZDOhHkiv39ziBpgbppkbNvD/gyOVUE dgF9REX9BkfoCU+VDnU5j+384DgucA+l/HK5aunk/4/Y2uxFa4Z0eWUcvMugNcjzP1Crkx 0Q22c+qYKq51jHPU5Gp+ibUGx9lfThewOLXBl0Eg3H3TmJUU1/cFPiAaxfnvyg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1774972717; a=rsa-sha256; cv=none; b=pGrF9ERr7McBV2UgpoYUTuLZ65jI8p8a0sWir1GglGfnJ6roFtc0t9zl4voxOeRTr+3JEe ZCpUTOPbdQDEIyl6C3OCedz7mfVreuw+jfnXsPBwNVRL+1sAJmJUjWg4HgFVOR4ZvLH1I/ EstajG1f1eK1+S8ONZQTHIogcW3iDeT4DtUzAbyMIo5UdHa1sxlU40A43ceP1CEOrL7jqP ZCbv1beb5NxqjIHoXaMN5Zu9Omzw5kWIVz2CEkqlzLm92nFs8M+h4uUl9c8ugdGqciCFPJ u8qX2H5O9alSRxMh5KovLDIhf+ZDoILms2f5rHITOKsU2o14PueLOSGbPckWGQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1774972717; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=PvdA8f/EU6CWxNJcdkix8kft3+e2AXdsxcCAgzlNteQ=; b=uvpDvajd+QbXspR75uwbV+EnBQWzjtjyp7Yhi1LXqr/WyeCt0ONSzLyyLZqPyCyFlABCG1 yzx9BX9/9BtbiUDEDXtJwqGHiaLdi2eAEJhRZQ6Za8F5Zkz2pIOP8FHioDPIpGZcUV5qLJ IiOAL9wAh3da6BYZLP5Sx9ohqGntE+yoiwOTV0eKw6eDHx7U+8DvOnf5QkMvfpyzYDc5wE /JO/6YFp/BaXnOcmnWvgEUBvfL9STO9UepTvvl/66VZdp9AIhtV9eBIcDbEb0dwEYNI62O XcYYDHRb8Ak3G0sRocp4nm7R+0xv8r94kh/WiufPyfa7to1Icox594szF+Hm8g== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4flXpj27VnzcFP for ; Tue, 31 Mar 2026 15:58:37 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 3a834 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Tue, 31 Mar 2026 15:58:37 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Mark Johnston Subject: git: e5cf3437275f - stable/15 - pf: Pass v6 packets to the divert socket List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-branches@freebsd.org Sender: owner-dev-commits-src-branches@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: markj X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: e5cf3437275f9fec24cc0a0655a33830ed6f7388 Auto-Submitted: auto-generated Date: Tue, 31 Mar 2026 15:58:37 +0000 Message-Id: <69cbef2d.3a834.5fb29ed5@gitrepo.freebsd.org> The branch stable/15 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=e5cf3437275f9fec24cc0a0655a33830ed6f7388 commit e5cf3437275f9fec24cc0a0655a33830ed6f7388 Author: Mark Johnston AuthorDate: 2026-01-27 13:48:09 +0000 Commit: Mark Johnston CommitDate: 2026-03-31 15:57:27 +0000 pf: Pass v6 packets to the divert socket There is no particular limitation of divert sockets with respect to IPv6, and the pf.conf man page does not mention the restriction to IPv4. Extend the divert-to regression tests to exercise the v6 case. Reviewed by: igoro, kp, glebius MFC after: 3 weeks Sponsored by: OPNsense Sponsored by: Klara, Inc. Differential Revision: https://reviews.freebsd.org/D54847 (cherry picked from commit b0d99709502294812b11c139f64b0b78f5d2d457) --- sys/netpfil/pf/pf.c | 6 +- tests/sys/netpfil/common/divapp.c | 2 +- tests/sys/netpfil/pf/divert-to.sh | 249 ++++++++++++++++++++++++++++---------- 3 files changed, 189 insertions(+), 68 deletions(-) diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index 8b0fca69827e..6349e922387b 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -11231,8 +11231,7 @@ done: pf_is_loopback(af, pd.dst)) pd.m->m_flags |= M_SKIP_FIREWALL; - if (af == AF_INET && action == PF_PASS && r->divert.port && - !PACKET_LOOPED(&pd)) { + if (action == PF_PASS && r->divert.port && !PACKET_LOOPED(&pd)) { mtag = m_tag_alloc(MTAG_PF_DIVERT, 0, sizeof(struct pf_divert_mtag), M_NOWAIT | M_ZERO); if (__predict_true(mtag != NULL && ip_divert_ptr != NULL)) { @@ -11280,9 +11279,6 @@ done: "pf: divert(4) is not loaded"); } } - /* XXX: Anybody working on it?! */ - if (af == AF_INET6 && r->divert.port) - printf("pf: divert(9) is not supported for IPv6\n"); /* this flag will need revising if the pkt is forwarded */ if (pd.pf_mtag) diff --git a/tests/sys/netpfil/common/divapp.c b/tests/sys/netpfil/common/divapp.c index d0f4b345b14c..b1c38fdc87b4 100644 --- a/tests/sys/netpfil/common/divapp.c +++ b/tests/sys/netpfil/common/divapp.c @@ -135,7 +135,7 @@ main(int argc, char *argv[]) if (c.divert_back) send_pkt(&c); npkt++; - if (npkt >= 10) + if (npkt >= 20) break; } diff --git a/tests/sys/netpfil/pf/divert-to.sh b/tests/sys/netpfil/pf/divert-to.sh index 2e0f6920db27..bc4222c2bd03 100644 --- a/tests/sys/netpfil/pf/divert-to.sh +++ b/tests/sys/netpfil/pf/divert-to.sh @@ -73,16 +73,20 @@ in_div_body() epair=$(vnet_mkepair) vnet_mkjail div ${epair}b - ifconfig ${epair}a 192.0.2.1/24 up - jexec div ifconfig ${epair}b 192.0.2.2/24 up + atf_check ifconfig ${epair}a 192.0.2.1/24 up + atf_check ifconfig ${epair}a inet6 2001:db8::1/64 no_dad + atf_check jexec div ifconfig ${epair}b 192.0.2.2/24 up + atf_check jexec div ifconfig ${epair}b inet6 2001:db8::2/64 no_dad # Sanity check - atf_check -s exit:0 -o ignore ping -c3 192.0.2.2 + atf_check -o ignore ping -c3 192.0.2.2 + atf_check -o ignore ping -c3 2001:db8::2 jexec div pfctl -e pft_set_rules div \ - "pass all" \ - "pass in inet proto icmp icmp-type echoreq divert-to 127.0.0.1 port 2000" + "pass all" \ + "pass in inet proto icmp icmp-type echoreq divert-to 127.0.0.1 port 2000" \ + "pass in inet6 proto icmp6 icmp6-type echoreq divert-to ::1 port 2000" jexec div $(atf_get_srcdir)/../common/divapp 2000 & divapp_pid=$! @@ -93,6 +97,16 @@ in_div_body() atf_check -s not-exit:0 -o ignore ping -c1 -t1 192.0.2.2 wait $divapp_pid + + jexec div $(atf_get_srcdir)/../common/divapp 2000 & + divapp_pid=$! + # Wait for the divapp to be ready + sleep 1 + + # divapp is expected to "eat" the packet + atf_check -s not-exit:0 -o ignore ping -c1 -t1 2001:db8::2 + + wait $divapp_pid } in_div_cleanup() { @@ -112,16 +126,20 @@ in_div_in_body() epair=$(vnet_mkepair) vnet_mkjail div ${epair}b - ifconfig ${epair}a 192.0.2.1/24 up - jexec div ifconfig ${epair}b 192.0.2.2/24 up + atf_check ifconfig ${epair}a 192.0.2.1/24 up + atf_check ifconfig ${epair}a inet6 2001:db8::1/64 no_dad + atf_check jexec div ifconfig ${epair}b 192.0.2.2/24 up + atf_check jexec div ifconfig ${epair}b inet6 2001:db8::2/64 no_dad # Sanity check - atf_check -s exit:0 -o ignore ping -c3 192.0.2.2 + atf_check -o ignore ping -c3 192.0.2.2 + atf_check -o ignore ping -c3 2001:db8::2 jexec div pfctl -e pft_set_rules div \ - "pass all" \ - "pass in inet proto icmp icmp-type echoreq divert-to 127.0.0.1 port 2000 no state" + "pass all" \ + "pass in inet proto icmp icmp-type echoreq divert-to 127.0.0.1 port 2000 no state" \ + "pass in inet6 proto icmp6 icmp6-type echoreq divert-to ::1 port 2000 no state" jexec div $(atf_get_srcdir)/../common/divapp 2000 divert-back & divapp_pid=$! @@ -132,6 +150,16 @@ in_div_in_body() atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 wait $divapp_pid + + jexec div $(atf_get_srcdir)/../common/divapp 2000 divert-back & + divapp_pid=$! + # Wait for the divapp to be ready + sleep 1 + + # divapp is expected to "eat" the packet + atf_check -s exit:0 -o ignore ping -c1 -t1 2001:db8::2 + + wait $divapp_pid } in_div_in_cleanup() { @@ -151,17 +179,22 @@ out_div_body() epair=$(vnet_mkepair) vnet_mkjail div ${epair}b - ifconfig ${epair}a 192.0.2.1/24 up - jexec div ifconfig ${epair}b 192.0.2.2/24 up + atf_check ifconfig ${epair}a 192.0.2.1/24 up + atf_check ifconfig ${epair}a inet6 2001:db8::1/64 no_dad + atf_check jexec div ifconfig ${epair}b 192.0.2.2/24 up + atf_check jexec div ifconfig ${epair}b inet6 2001:db8::2/64 no_dad # Sanity check - atf_check -s exit:0 -o ignore ping -c3 192.0.2.2 + atf_check -o ignore ping -c3 192.0.2.2 + atf_check -o ignore ping -c3 2001:db8::2 jexec div pfctl -e pft_set_rules div \ - "pass all" \ - "pass in inet proto icmp icmp-type echoreq no state" \ - "pass out inet proto icmp icmp-type echorep divert-to 127.0.0.1 port 2000 no state" + "pass all" \ + "pass in inet proto icmp icmp-type echoreq no state" \ + "pass out inet proto icmp icmp-type echorep divert-to 127.0.0.1 port 2000 no state" \ + "pass in inet6 proto icmp6 icmp6-type echoreq no state" \ + "pass out inet6 proto icmp6 icmp6-type echorep divert-to ::1 port 2000 no state" jexec div $(atf_get_srcdir)/../common/divapp 2000 & divapp_pid=$! @@ -172,6 +205,16 @@ out_div_body() atf_check -s not-exit:0 -o ignore ping -c1 -t1 192.0.2.2 wait $divapp_pid + + jexec div $(atf_get_srcdir)/../common/divapp 2000 & + divapp_pid=$! + # Wait for the divapp to be ready + sleep 1 + + # divapp is expected to "eat" the packet + atf_check -s not-exit:0 -o ignore ping -c1 -t1 2001:db8::2 + + wait $divapp_pid } out_div_cleanup() { @@ -191,17 +234,22 @@ out_div_out_body() epair=$(vnet_mkepair) vnet_mkjail div ${epair}b - ifconfig ${epair}a 192.0.2.1/24 up - jexec div ifconfig ${epair}b 192.0.2.2/24 up + atf_check ifconfig ${epair}a 192.0.2.1/24 up + atf_check ifconfig ${epair}a inet6 2001:db8::1/64 no_dad + atf_check jexec div ifconfig ${epair}b 192.0.2.2/24 up + atf_check jexec div ifconfig ${epair}b inet6 2001:db8::2/64 no_dad # Sanity check - atf_check -s exit:0 -o ignore ping -c3 192.0.2.2 + atf_check -o ignore ping -c3 192.0.2.2 + atf_check -o ignore ping -c3 2001:db8::2 jexec div pfctl -e pft_set_rules div \ - "pass all" \ - "pass in inet proto icmp icmp-type echoreq no state" \ - "pass out inet proto icmp icmp-type echorep divert-to 127.0.0.1 port 2000 no state" + "pass all" \ + "pass in inet proto icmp icmp-type echoreq no state" \ + "pass out inet proto icmp icmp-type echorep divert-to 127.0.0.1 port 2000 no state" \ + "pass in inet6 proto icmp6 icmp6-type echoreq no state" \ + "pass out inet6 proto icmp6 icmp6-type echorep divert-to ::1 port 2000 no state" jexec div $(atf_get_srcdir)/../common/divapp 2000 divert-back & divapp_pid=$! @@ -212,6 +260,16 @@ out_div_out_body() atf_check -s exit:0 -o ignore ping -c1 192.0.2.2 wait $divapp_pid + + jexec div $(atf_get_srcdir)/../common/divapp 2000 divert-back & + divapp_pid=$! + # Wait for the divapp to be ready + sleep 1 + + # divapp is NOT expected to "eat" the packet + atf_check -s exit:0 -o ignore ping -c1 2001:db8::2 + + wait $divapp_pid } out_div_out_cleanup() { @@ -234,40 +292,63 @@ in_div_in_fwd_out_div_out_body() epair1=$(vnet_mkepair) vnet_mkjail router ${epair0}b ${epair1}a - ifconfig ${epair0}a 192.0.2.1/24 up - jexec router sysctl net.inet.ip.forwarding=1 - jexec router ifconfig ${epair0}b 192.0.2.2/24 up - jexec router ifconfig ${epair1}a 198.51.100.1/24 up + atf_check ifconfig ${epair0}a 192.0.2.1/24 up + atf_check ifconfig ${epair0}a inet6 2001:db8::1/64 no_dad + atf_check -o ignore jexec router sysctl net.inet.ip.forwarding=1 + atf_check -o ignore jexec router sysctl net.inet6.ip6.forwarding=1 + atf_check jexec router ifconfig ${epair0}b 192.0.2.2/24 up + atf_check jexec router ifconfig ${epair0}b inet6 2001:db8::2/64 no_dad + atf_check jexec router ifconfig ${epair1}a 198.51.100.1/24 up + atf_check jexec router ifconfig ${epair1}a inet6 2001:db9::1/64 no_dad vnet_mkjail site ${epair1}b jexec site ifconfig ${epair1}b 198.51.100.2/24 up + jexec site ifconfig ${epair1}b inet6 2001:db9::2/64 no_dad jexec site route add default 198.51.100.1 + jexec site route -6 add default 2001:db9::1 - route add -net 198.51.100.0/24 192.0.2.2 + atf_check -o ignore route add -net 198.51.100.0/24 192.0.2.2 + atf_check -o ignore route -6 add -net 2001:db9::/64 2001:db8::2 # Sanity check - atf_check -s exit:0 -o ignore ping -c3 192.0.2.2 + atf_check -o ignore ping -c3 192.0.2.2 + atf_check -o ignore ping -c3 2001:db8::2 # Should be routed without pf - atf_check -s exit:0 -o ignore ping -c3 198.51.100.2 + atf_check -o ignore ping -c3 198.51.100.2 + atf_check -o ignore ping -c3 2001:db9::2 jexec router pfctl -e pft_set_rules router \ - "pass all" \ - "pass in inet proto icmp icmp-type echoreq divert-to 127.0.0.1 port 2001 no state" \ - "pass out inet proto icmp icmp-type echoreq divert-to 127.0.0.1 port 2002 no state" + "pass all" \ + "pass in inet proto icmp icmp-type echoreq divert-to 127.0.0.1 port 2001 no state" \ + "pass out inet proto icmp icmp-type echoreq divert-to 127.0.0.1 port 2002 no state" \ + "pass in inet6 proto icmp6 icmp6-type echoreq divert-to ::1 port 2001 no state" \ + "pass out inet6 proto icmp6 icmp6-type echoreq divert-to ::1 port 2002 no state" jexec router $(atf_get_srcdir)/../common/divapp 2001 divert-back & indivapp_pid=$! jexec router $(atf_get_srcdir)/../common/divapp 2002 divert-back & outdivapp_pid=$! - # Wait for the divappS to be ready + # Wait for the divapps to be ready sleep 1 - # Both divappS are NOT expected to "eat" the packet + # Both divapps are NOT expected to "eat" the packet atf_check -s exit:0 -o ignore ping -c1 198.51.100.2 wait $indivapp_pid && wait $outdivapp_pid + + jexec router $(atf_get_srcdir)/../common/divapp 2001 divert-back & + indivapp_pid=$! + jexec router $(atf_get_srcdir)/../common/divapp 2002 divert-back & + outdivapp_pid=$! + # Wait for the divapps to be ready + sleep 1 + + # Both divapps are NOT expected to "eat" the packet + atf_check -o ignore ping -c1 2001:db9::2 + + wait $indivapp_pid && wait $outdivapp_pid } in_div_in_fwd_out_div_out_cleanup() { @@ -287,12 +368,15 @@ in_dn_in_div_in_out_div_out_dn_out_body() epair=$(vnet_mkepair) vnet_mkjail alcatraz ${epair}b - ifconfig ${epair}a 192.0.2.1/24 up - ifconfig ${epair}a ether 02:00:00:00:00:01 - jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up + atf_check ifconfig ${epair}a 192.0.2.1/24 up + atf_check ifconfig ${epair}a inet6 2001:db8::1/64 no_dad + atf_check ifconfig ${epair}a ether 02:00:00:00:00:01 + atf_check jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up + atf_check jexec alcatraz ifconfig ${epair}b inet6 2001:db8::2/64 no_dad # Sanity check - atf_check -s exit:0 -o ignore ping -c3 192.0.2.2 + atf_check -o ignore ping -c3 192.0.2.2 + atf_check -o ignore ping -c3 2001:db8::2 # a) ping should time out due to very narrow dummynet pipes { @@ -301,17 +385,19 @@ in_dn_in_div_in_out_div_out_dn_out_body() jexec alcatraz pfctl -e pft_set_rules alcatraz \ - "ether pass in from 02:00:00:00:00:01 l3 all dnpipe 1001" \ - "ether pass out to 02:00:00:00:00:01 l3 all dnpipe 1002 " \ - "pass all" \ - "pass in inet proto icmp icmp-type echoreq divert-to 127.0.0.1 port 1001 no state" \ - "pass out inet proto icmp icmp-type echorep divert-to 127.0.0.1 port 1002 no state" + "ether pass in from 02:00:00:00:00:01 l3 all dnpipe 1001" \ + "ether pass out to 02:00:00:00:00:01 l3 all dnpipe 1002 " \ + "pass all" \ + "pass in inet proto icmp icmp-type echoreq divert-to 127.0.0.1 port 1001 no state" \ + "pass out inet proto icmp icmp-type echorep divert-to 127.0.0.1 port 1002 no state" \ + "pass in inet6 proto icmp6 icmp6-type echoreq divert-to ::1 port 1001 no state" \ + "pass out inet6 proto icmp6 icmp6-type echorep divert-to ::1 port 1002 no state" jexec alcatraz $(atf_get_srcdir)/../common/divapp 1001 divert-back & indivapp_pid=$! jexec alcatraz $(atf_get_srcdir)/../common/divapp 1002 divert-back & outdivapp_pid=$! - # Wait for the divappS to be ready + # Wait for the divapps to be ready sleep 1 atf_check -s not-exit:0 -o ignore ping -c1 -s56 -t1 192.0.2.2 @@ -321,6 +407,20 @@ in_dn_in_div_in_out_div_out_dn_out_body() wait $outdivapp_pid atf_check_not_equal 0 $? + jexec alcatraz $(atf_get_srcdir)/../common/divapp 1001 divert-back & + indivapp_pid=$! + jexec alcatraz $(atf_get_srcdir)/../common/divapp 1002 divert-back & + outdivapp_pid=$! + # Wait for the divapps to be ready + sleep 1 + + atf_check -s not-exit:0 -o ignore ping -c1 -s56 -t1 2001:db8::2 + + wait $indivapp_pid + atf_check_not_equal 0 $? + wait $outdivapp_pid + atf_check_not_equal 0 $? + # } # b) ping should NOT time out due to wide enough dummynet pipes { @@ -330,20 +430,36 @@ in_dn_in_div_in_out_div_out_dn_out_body() jexec alcatraz pfctl -e pft_set_rules alcatraz \ - "ether pass in from 02:00:00:00:00:01 l3 all dnpipe 2001" \ - "ether pass out to 02:00:00:00:00:01 l3 all dnpipe 2002 " \ - "pass all" \ - "pass in inet proto icmp icmp-type echoreq divert-to 127.0.0.1 port 2001 no state" \ - "pass out inet proto icmp icmp-type echorep divert-to 127.0.0.1 port 2002 no state" + "ether pass in from 02:00:00:00:00:01 l3 all dnpipe 2001" \ + "ether pass out to 02:00:00:00:00:01 l3 all dnpipe 2002 " \ + "pass all" \ + "pass in inet proto icmp icmp-type echoreq divert-to 127.0.0.1 port 2001 no state" \ + "pass out inet proto icmp icmp-type echorep divert-to 127.0.0.1 port 2002 no state" \ + "pass in inet6 proto icmp6 icmp6-type echoreq divert-to ::1 port 2001 no state" \ + "pass out inet6 proto icmp6 icmp6-type echorep divert-to ::1 port 2002 no state" jexec alcatraz $(atf_get_srcdir)/../common/divapp 2001 divert-back & indivapp_pid=$! jexec alcatraz $(atf_get_srcdir)/../common/divapp 2002 divert-back & outdivapp_pid=$! - # Wait for the divappS to be ready + # Wait for the divapps to be ready sleep 1 - atf_check -s exit:0 -o ignore ping -c1 -s56 -t1 192.0.2.2 + atf_check -o ignore ping -c1 -s56 -t1 192.0.2.2 + + wait $indivapp_pid + atf_check_equal 0 $? + wait $outdivapp_pid + atf_check_equal 0 $? + + jexec alcatraz $(atf_get_srcdir)/../common/divapp 2001 divert-back & + indivapp_pid=$! + jexec alcatraz $(atf_get_srcdir)/../common/divapp 2002 divert-back & + outdivapp_pid=$! + # Wait for the divapps to be ready + sleep 1 + + atf_check -o ignore ping -c1 -s56 -t1 2001:db8::2 wait $indivapp_pid atf_check_equal 0 $? @@ -364,20 +480,22 @@ pr260867_head() atf_set require.user root atf_set require.kmods ipdivert } - pr260867_body() { pft_init epair=$(vnet_mkepair) - ifconfig ${epair}a 192.0.2.1/24 up + atf_check ifconfig ${epair}a 192.0.2.1/24 up + atf_check ifconfig ${epair}a inet6 2001:db8::1/64 no_dad vnet_mkjail alcatraz ${epair}b - jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up + atf_check jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up + atf_check jexec alcatraz ifconfig ${epair}b inet6 2001:db8::2/64 no_dad # Sanity check - atf_check -s exit:0 -o ignore ping -c3 192.0.2.2 + atf_check -o ignore ping -c3 192.0.2.2 + atf_check -o ignore ping -c3 2001:db8::2 jexec alcatraz /usr/sbin/inetd -p ${PWD}/inetd-echo.pid $(atf_get_srcdir)/echo_inetd.conf jexec alcatraz $(atf_get_srcdir)/../common/divapp 1001 divert-back & @@ -388,10 +506,14 @@ pr260867_body() reply=$(echo "foo" | nc -N 192.0.2.2 7) if [ "${reply}" != "foo" ]; then - atf_fail "Did not receive echo reply" + atf_fail "Did not receive v4 echo reply" fi -} + reply=$(echo "foo" | nc -N -6 2001:db8::2 7) + if [ "${reply}" != "foo" ]; then + atf_fail "Did not receive v6 echo reply" + fi +} pr260867_cleanup() { pft_cleanup @@ -404,7 +526,6 @@ pr260867_icmp_head() atf_set require.user root atf_set require.kmods ipdivert } - pr260867_icmp_body() { pft_init @@ -412,22 +533,26 @@ pr260867_icmp_body() epair=$(vnet_mkepair) atf_check ifconfig ${epair}a 192.0.2.1/24 up + atf_check ifconfig ${epair}a inet6 2001:db8::1/64 no_dad vnet_mkjail alcatraz ${epair}b - jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up + atf_check jexec alcatraz ifconfig ${epair}b 192.0.2.2/24 up + atf_check jexec alcatraz ifconfig ${epair}b inet6 2001:db8::2/64 no_dad # Sanity check - atf_check -s exit:0 -o ignore ping -c3 192.0.2.2 + atf_check -o ignore ping -c3 192.0.2.2 + atf_check -o ignore ping -c3 2001:db8::2 jexec alcatraz $(atf_get_srcdir)/../common/divapp 1001 divert-back & jexec alcatraz pfctl -e pft_set_rules alcatraz \ - "pass in on ${epair}b proto icmp from any to any divert-to 0.0.0.0 port 1001" + "pass in on ${epair}b proto icmp from any to any divert-to 0.0.0.0 port 1001" \ + "pass in on ${epair}b proto icmp6 from any to any divert-to :: port 1001" atf_check -o ignore ping -c 3 192.0.2.2 + atf_check -o ignore ping -c 3 2001:db8::2 } - pr260867_icmp_cleanup() { pft_cleanup